Defense In-Depth

FORESEC Academy
Security Essentials (II) :
Defense In-Depth

Defense in-Depth Agenda

Defense

in-Depth
Basic Security Policy
Access Control and Password
Management
Incident Handling Foundations
Information Warfare
Web Communications and Security

Defense in-Depth
We have covered: networking, IP, IP
behaviour, basic traffic analysis, routing,
host perimeter defense.
Now, we add security policy, password
strength and assessment, incident handling,
information warfare and web security.

Defense in-Depth (2)

Three Bedrock Principles

Confidentiality
Integrity
Availability

Identity, Authentication &

Authorization
Dont

Authentication and Identity

mean the same thing?
If we have Authentication and
Identity then do we need
Authorization?

Authentication
Based

on:
- Something you know
Password, PIN
- Something you have Photo ID
or Security Token
- Something you are Biometrics

Security Token

Combined

with a PIN, this is two factor

authentication - something you have and
something you know.

Biometric authentication
Iris

scanners
Retinal scanners
Hand geometry substantiaters
Finger scanners, and many others
as well . . . even facial scanners

Biometric authentication
Despite

its rising popularity, biometric

authentication is not without its
downsides. Once compromised, unlike
passwords or tokens, biometric
parameters cannot be changed.
However, some aspects of the body
can be simulated for detectors, as
seen in many spy movies.

Data Classification
We

classify data with differing levels

of sensitivity
Why do we put labels on our data?
You cant protect it all so some data
requires more protection than others

A quick listing of the DoD and federal

Top Secret - The highest levels of protection are
levels

given to this data; it is critical to protect.

Secret - This data is important, and its release could
harm national security.
Confidential - This is important, and it could be
detrimental to national security if released.
Sensitive But Unclassified (SBU) - This generally is
information that is sensitive and should not be
released (like SSNs).
Unclassified - They prefer to keep it from being
released but the nation would not be harmed if it
were.

Threats
Activity

that represents possible danger

Can come in different forms & from different
sources
There are physical threats, like fires, floods,
terrorist activities, and random acts of
violence.
And there are electronic threats, like hackers,
vandals, and viruses.

Threats
You

cant protect against all threats

Protect against the ones that are most
likely or most worrisome based on:
- Business goals
- Validated data
- Industry best practice

Vulnerabilities
Weaknesses

that allow threats to

happen
Must be coupled with a threat to have
an impact
Can be prevented (if you know about
them)

Relating Risk, Threat and

Vulnerability
Risk

= Threat x Vulnerability

The Threat Model

Threat
Vulnerability
Compromise

Vulnerabilities are the gateways

by which threats are manifested.

Five Lessons from History

Morris

worm Availability 1988

Melissa - Availability 1999
W32.SirCam worm - Confidentiality 2001
Code Red II - Integrity 2001
Blaster worm - Availability and
Integrity - 2003